FreeCalypso > hg > freecalypso-sw
comparison rvinterf/doc/tfc139.usage @ 433:2d8ab1b0df8d
rvinterf/doc/tfc139.usage: written
doc/Compal-unlock: typo fix
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
|---|---|
| date | Sun, 22 Jun 2014 00:17:44 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 432:15e69d31c96f | 433:2d8ab1b0df8d |
|---|---|
| 1 The tfc139 hack-utility (see ../../doc/Compal-unlock) is based on the | |
| 2 rvinterf/rvtdump skeleton, and it needs to be invoked as follows: | |
| 3 | |
| 4 tfc139 [options] /dev/ttyXXX | |
| 5 | |
| 6 In the well-tested use case of breaking into TFC139 phones with fw version | |
| 7 8.8.17, no options are normally needed, but the following options are supported: | |
| 8 | |
| 9 -a address | |
| 10 | |
| 11 This option changes the RAM address into which the "shellcode" is to be | |
| 12 written; the argument is always interpreted as hex. The default is | |
| 13 0x800000, as used by the mot931c.exe closed source tool on whose | |
| 14 reverse-engineering our hack-utility is based. | |
| 15 | |
| 16 -B baud | |
| 17 | |
| 18 This option changes the serial baud rate just like in rvinterf and | |
| 19 rvtdump, but the default is 57600 as needed for breaking into TFC139 | |
| 20 firmware. | |
| 21 | |
| 22 -l logfile | |
| 23 | |
| 24 Log activity in a file, just like rvinterf and rvtdump. | |
| 25 | |
| 26 -s address | |
| 27 | |
| 28 Just like mot931c.exe has been observed to do, we start our stack | |
| 29 smashing attempts at a certain address, and keep incrementing by 4 | |
| 30 until we either succeed or crash the fw in some other way that does not | |
| 31 help us. This option changes the starting address for these stack | |
| 32 smashing attempts; the argument is always interpreted as hex. The | |
| 33 default is 0x837C54, as observed from the reverse engineering of | |
| 34 mot931c. | |
| 35 | |
| 36 -w number_in_seconds | |
| 37 | |
| 38 See rvinterf.usage; the option is the same for tfc139 as for rvinterf. |